<!DOCTYPE HTML>
<html lang="en">
    <head>
    <meta charset="UTF-8"/>

    
    









    <!-- OneTrust Cookies Consent Notice Start -->






    <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" data-document-language="true" type="text/javascript" charset="UTF-8" data-domain-script="6373c986-7725-4c54-9731-2a91bdd43107"></script>


<script type="text/javascript">
    function OptanonWrapper() { }
</script>

<!-- OneTrust Cookies Consent Notice End -->

















    
    <title>The Curious Case of “Monti” Ransomware: A Real-World Doppelganger</title>
    
    

<script type="application/ld+json">
    {
        "@context": "https://schema.org",
        "@type": "NewsArticle",
        "mainEntityOfPage": {
            "@type": "WebPage",
            "@id": "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger"
        },
        "headline": "The Curious Case of “Monti” Ransomware: A Real-World Doppelganger",
        "image": [
            "/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-thumb-466x261.png",
            "/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-social-1200x630.png"
        ],
        "datePublished": "2022-09-07T01:01:00.000-07:00",
        "author": [{
                    "@type": "Person",
                    "name": "Anuj Soni"
                }
,{
                    "@type": "Person",
                    "name": "Ryan Chapman"
                }
],
        "publisher": {
            "@type": "Organization",
            "name": "BlackBerry",
            "logo": {
                "@type": "ImageObject",
                "url": "https://blogs.blackberry.com/content/dam/blackberry-com/Images/logos/BlackBerry_Logo_Black_150.png"
            }
        }
    }
</script>

    <meta name="keywords" content="Research, Cybersecurity"/>
    <meta name="description" content="While working a recent ransomware incident, BlackBerry identified a group whose name and TTPs mimicked the long-standing, popular ransomware crew Conti. Furthermore, the encryptor payload used in the attack was taken from the original group and modified for use with this new group. Who was this doppelganger? "/>
    
    <link rel="icon" href="/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/bbcom-aem-project/images/favicon.ico"/>
    <meta name="viewport" content="width=device-width, initial-scale=1"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
    
    
    
    <link rel="canonical" href="https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger"/>
    <meta name="author" content="blogs.blackberry.com"/>
    <meta property="og:url" content="https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger"/>
    <meta property="og:title" content="The Curious Case of “Monti” Ransomware: A Real-World Doppelganger"/>
    <meta property="og:description" content="While working a recent ransomware incident, BlackBerry identified a group whose name and TTPs mimicked the long-standing, popular ransomware crew Conti. Furthermore, the encryptor payload used in the attack was taken from the original group and modified for use with this new group. Who was this doppelganger? "/>
    <meta property="og:type" content="article"/>
    <meta property="og:image" content="https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-social-1200x630.png"/>
    <meta name="twitter:card" content="summary_large_image"/>
    <meta name="twitter:site" content="@BlackBerry"/>
    <meta name="twitter:title" content="The Curious Case of “Monti” Ransomware: A Real-World Doppelganger"/>
    <meta name="twitter:description" content="While working a recent ransomware incident, BlackBerry identified a group whose name and TTPs mimicked the long-standing, popular ransomware crew Conti. Furthermore, the encryptor payload used in the attack was taken from the original group and modified for use with this new group. Who was this doppelganger? "/>
    <meta name="twitter:image" content="https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-social-1200x630.png"/>

    

    
    
<link rel="stylesheet" href="/etc.clientlibs/blogs-bbcom/clientlibs/clientlib-site.min.212090aa91e144ce76b952f074e6c1ba.css" type="text/css">





    








<script>
    var digitalData = {
        page: {
            pageInfo: {
                pageTitle: "The Curious Case of “Monti” Ransomware: A Real-World Doppelganger",
                pageName: "en:2022:09:the-curious-case-of-monti-ransomware-a-real-world-doppelganger",
                domain:"blogs.blackberry.com",
                hierarchy:["en","2022","09","the-curious-case-of-monti-ransomware-a-real-world-doppelganger"],
                timeStamp:"2023-08-13 03:19:33",
                tags:"Research,Cybersecurity",
                country:"GB"
            }
        }
    }
</script>



    <script src="//assets.adobedtm.com/cb3160b9e813/dd47d4a7a48e/launch-17c42c38011b.min.js" async></script>
    










<script>
    digitalData.blogPost = {
        authors: "Anuj Soni,Ryan Chapman",
        categories: "Research & Intelligence"
    }
</script>








    
    
        <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-TXGFP23');</script>


<script async src="https://www.googletagmanager.com/gtag/js?id=AW-944900006"></script> 
<script> 
  window.dataLayer = window.dataLayer || []; 
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date()); gtag('config', 'AW-944900006'); 
</script>


<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TXGFP23" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>



    

    



<script src="https://kit.fontawesome.com/3c243f8233.js" crossorigin="anonymous"></script>

    
    
    

    
    
    
    

    
</head>
    <body class="page basicpage" data-enable-history="true">
        
        
            



            

  
<!--
<sly data-sly-use.templatedContainer="com.day.cq.wcm.foundation.TemplatedContainer"
   data-sly-repeat.child=""
   data-sly-resource=""/>
-->

<header>
    




    
    
    
<!-- BEGIN DO NOT INDEX -->

    

<!-- skip to content: START -->
<a href='#' class='skipNav' tabindex="0">Skip Navigation</a>
<!-- skip to content: END-->
<!-- BEGIN DO NOT INDEX -->

  <nav class="blogs-navigationv2 bb-blogs-navbar navbar navbar-expand-lg navbar-dark bg-dark">
    <div class="container">
      <a class="navbar-brand" href="https://blogs.blackberry.com">
        <svg width="175px" height="30px" viewBox="0 0 175 30" version="1.1">
          <title>BlackBerry Logo</title>
          <g id="Creative" stroke="none" strokeWidth="1" fill="none" fillRule="evenodd">
              <g id="21-product-page-Protect-02.15.22" transform="translate(-91.000000, -10.000000)" fill="#FFFFFF" fillRule="nonzero">
                  <g id="BB_White" transform="translate(91.000000, 10.000000)">
                      <path d="M9.18042011,2.14285967 C9.18042011,1.19318021 8.5959918,-1.17624431e-15 6.16086942,-1.17624431e-15 C5.16247216,-1.17624431e-15 2.4107723,-1.17624431e-15 2.4107723,-1.17624431e-15 L1.33931598,4.94318021 C1.33931598,4.94318021 3.36046941,4.94318021 5.25986363,4.94318021 C8.32813214,4.91883014 9.18042011,3.48214033 9.18042011,2.14285967 Z" id="Shape"></path>
                      <path d="M19.2861873,2.14285967 C19.2861873,1.19318021 18.701759,-1.17624431e-15 16.2666366,-1.17624431e-15 C15.2682393,-1.17624431e-15 12.5165395,-1.17624431e-15 12.5165395,-1.17624431e-15 L11.4450831,4.94318021 C11.4450831,4.94318021 13.4662366,4.94318021 15.3412807,4.94318021 C18.4338993,4.91883014 19.2861873,3.48214033 19.2861873,2.14285967 Z" id="Shape_1_"></path>
                      <path d="M7.84110413,9.54545936 C7.84110413,8.59578874 7.25667582,7.4025997 4.82155344,7.4025997 C3.82315617,7.4025997 1.07145632,7.4025997 1.07145632,7.4025997 L5.68518084e-15,12.3457799 C5.68518084e-15,12.3457799 2.02115343,12.3457799 3.89619757,12.3457799 C6.96445725,12.3457799 7.84110413,10.88474 7.84110413,9.54545936 Z" id="Shape_2_"></path>
                      <path d="M17.9468713,9.54545936 C17.9468713,8.59578874 17.362443,7.4025997 14.9273206,7.4025997 C13.9289233,7.4025997 11.1772235,7.4025997 11.1772235,7.4025997 L10.1057671,12.3457799 C10.1057671,12.3457799 12.1269206,12.3457799 14.0263148,12.3457799 C17.0702244,12.3457799 17.9468713,10.88474 17.9468713,9.54545936 Z" id="Shape_3_"></path>
                      <path d="M28.5153164,6.55032938 C28.5153164,5.60064992 27.930888,4.40746971 25.4957657,4.40746971 C24.4973684,4.40746971 21.7456774,4.40746971 21.7456774,4.40746971 L20.6742211,9.35064992 C20.6742211,9.35064992 22.6953745,9.35064992 24.5704186,9.35064992 C27.6386695,9.32629985 28.5153164,7.88961005 28.5153164,6.55032938 Z" id="Shape_4_"></path>
                      <path d="M27.0542412,14.2694801 C27.0542412,13.3198006 26.4698129,12.1266204 24.0346816,12.1266204 C23.0362844,12.1266204 20.2845934,12.1266204 20.2845934,12.1266204 L19.213137,17.0698006 C19.213137,17.0698006 21.2342905,17.0698006 23.1093346,17.0698006 C26.1775943,17.0698006 27.0542412,15.6087696 27.0542412,14.2694801 Z" id="Shape_5_"></path>
                      <path d="M16.4857961,17.2889601 C16.4857961,16.3392807 15.9013678,15.1461005 13.4662366,15.1461005 C12.4678393,15.1461005 9.71614827,15.1461005 9.71614827,15.1461005 L8.64469195,20.0892807 C8.64469195,20.0892807 10.6658454,20.0892807 12.5408895,20.0892807 C15.6091492,20.0649306 16.4857961,18.6282496 16.4857961,17.2889601 Z" id="Shape_6_"></path>
                      <path d="M83.7683052,18.75 C83.5978459,19.11526 82.7455491,20.7711005 80.6026453,20.7711005 C78.1188139,20.7711005 77.1447667,18.701291 77.1447667,17.191551 C77.1447667,14.6590813 78.8493515,12.3944712 81.3575329,12.3944712 C84.0605238,12.3944712 84.6936523,14.4155717 84.7667113,14.7808317 L88.7359591,14.7808317 C88.9794775,13.2954417 87.786262,8.74187154 81.5036422,8.74187154 C76.9012483,8.74187154 73.2242102,12.4188213 73.2242102,17.3133014 C73.2242102,21.331161 75.7323917,24.4236913 80.3834769,24.4236913 C86.1790775,24.4236913 87.7375619,19.8701212 87.9323713,18.7499912 L83.7683052,18.7499912 L83.7683052,18.75 Z" id="Shape_7_"></path>
                      <path d="M53.2805356,19.8457799 C53.2805356,19.6022703 53.3535858,19.1639601 53.5483953,18.2629897 C53.7432047,17.3376603 56.5435959,4.40746971 56.5435959,4.40746971 L52.8178577,4.40746971 L49.7252479,18.6769498 C49.6034887,19.2857193 49.5304385,19.87013 49.5304385,20.3814904 C49.5304385,23.4983708 51.9412108,24.4237002 53.889314,24.4237002 C54.5711514,24.4237002 55.22863,24.3019498 55.3747393,24.2775909 C55.4477895,23.961031 56.0322266,21.2824609 56.0565767,21.1607105 C55.9835265,21.1607105 55.5695487,21.2094107 55.0825295,21.2094107 C53.6945045,21.2094107 53.2805356,20.625 53.2805356,19.8457799 Z" id="Shape_8_"></path>
                      <polygon id="Shape_9_" points="106.220152 8.76623044 101.033339 8.76623044 94.3367415 14.7808405 96.6014133 4.38311963 92.8269661 4.38311963 88.5654909 24.1071403 92.3155881 24.1071403 93.3626943 19.3100606 95.6760575 17.4837696 98.8660763 24.1071403 103.054492 24.1071403 98.5251576 15.2435096"></polygon>
                      <path d="M32.7767827,18.0194801 C33.0933514,16.6071403 35.7232832,4.38311963 35.7232832,4.38311963 C35.7232832,4.38311963 40.2769681,4.38311963 42.8338497,4.38311963 C47.9963131,4.38311963 49.2625788,7.25649924 49.2625788,8.98538995 C49.2625788,12.8327903 45.6342409,13.8555199 45.1959219,13.9772703 C45.6098908,14.1233708 47.971963,15.0487002 47.971963,18.0681802 C47.971963,21.3555199 44.9524035,24.107459 40.2526181,24.107459 C40.2526181,24.107459 38.5723834,24.107459 38.1097143,24.107459 C34.1404576,24.1314904 32.0218951,21.4042201 32.7767827,18.0194801 Z M43.905306,17.7759705 C43.905306,16.8506411 43.2965277,15.681811 40.666587,15.681811 L37.2330585,15.681811 L36.2103112,20.4545406 L40.1065088,20.4545406 C42.5903401,20.4545406 43.905306,19.3100606 43.905306,17.7759705 Z M45.1715718,9.8133102 C45.1715718,8.86363075 44.4410342,8.0357105 42.6633904,8.0357105 L38.8645931,8.0357105 L38.0122963,12.0292201 L41.9815529,12.0292201 C44.0757654,12.0292201 45.1715718,10.9821403 45.1715718,9.8133102 Z" id="Shape_10_"></path>
                      <path d="M104.515568,18.0194801 C104.832136,16.6071403 107.462068,4.38311963 107.462068,4.38311963 C107.462068,4.38311963 112.015753,4.38311963 114.572626,4.38311963 C119.735089,4.38311963 121.001364,7.25649924 121.001364,8.98538995 C121.001364,12.8327903 117.373026,13.8555199 116.934707,13.9772703 C117.348667,14.1233708 119.710748,15.0487002 119.710748,18.0681802 C119.710748,21.3555199 116.666847,24.107459 111.991394,24.107459 C111.991394,24.107459 110.311159,24.107459 109.84849,24.107459 C105.879234,24.1314904 103.76068,21.4042201 104.515568,18.0194801 Z M115.644091,17.7759705 C115.644091,16.8506411 115.035304,15.681811 112.405372,15.681811 L108.947493,15.681811 L107.924737,20.4545406 L111.820935,20.4545406 C114.329125,20.4545406 115.644091,19.3100606 115.644091,17.7759705 Z M116.910348,9.8133102 C116.910348,8.86363075 116.17981,8.0357105 114.377825,8.0357105 L110.603378,8.0357105 L109.751081,12.0292201 L113.720347,12.0292201 C115.81455,12.0292201 116.910348,10.9821403 116.910348,9.8133102 Z" id="Shape_11_"></path>
                      <path d="M146.789339,8.76623044 C142.820083,8.76623044 140.092742,11.1282408 139.191745,15.5357105 C138.802126,17.4350606 137.365401,24.1071403 137.365401,24.1071403 L141.091139,24.1071403 C141.091139,24.1071403 142.454814,17.7516204 142.893133,15.75487 C143.45322,13.1493501 144.841236,12.2483796 146.69193,12.2483796 C147.300717,12.2483796 147.665986,12.3214298 147.860795,12.3457799 C147.958196,11.8100694 148.493915,9.44805023 148.615674,8.88798965 C148.226055,8.86363957 147.592918,8.76623044 146.789339,8.76623044 Z" id="Shape_12_"></path>
                      <path d="M159.451988,30 L171.968527,8.76623044 L167.950571,8.76623044 L162.20367,18.75 L160.864354,8.74188037 C160.864354,8.74188037 158.818851,8.74188037 156.554179,8.74188037 C151.610875,8.74188037 149.054002,11.0064904 148.153005,15.316551 C147.690327,17.4594107 146.253602,24.1071315 146.253602,24.1071315 L149.97934,24.1071315 C149.97934,24.1071315 151.343015,17.8003117 151.903085,15.2678508 C152.438822,12.8084314 154.265166,12.0535613 156.23761,12.4675303 L157.016848,8.83928067 C157.601285,12.2727209 159.378911,23.2792113 159.378911,23.2792113 L155.482714,30 L159.451988,30 L159.451988,30 Z" id="Shape_13_"></path>
                      <path d="M64.0437813,17.5811699 C64.871728,17.4594195 67.2581502,17.0941595 67.599069,17.0454594 C67.5260099,17.313319 67.4529597,17.7029291 67.3799095,18.0194889 C66.9415816,19.8701388 65.0665375,21.063319 62.972325,21.063319 C61.633009,21.063319 60.8537712,20.3571492 60.8537712,19.5048788 C60.8294212,18.7987002 61.4869085,17.9464298 64.0437813,17.5811699 Z M62.6314151,13.5876603 C62.7288242,13.4415598 63.6785213,11.9561699 66.0649435,11.9561699 C67.5503688,11.9561699 68.3052565,12.4918804 68.3052565,13.1493501 C68.3052565,14.0746706 66.8198312,14.3181802 64.2142406,14.6834402 C59.7579648,15.3165598 56.9332236,16.7045406 56.9332236,19.9188301 C56.9332236,22.2077903 58.8326178,24.4237002 62.193096,24.4237002 C64.9934872,24.4237002 66.4545624,22.7435096 66.5763216,22.5974003 C66.6006717,23.0113604 66.6493719,23.62013 66.6737308,24.1071403 C66.9902906,24.1071403 69.5715222,24.1071403 70.5212282,24.1071403 C70.399469,23.4496706 70.1072504,22.1590901 70.5699283,20.1136307 C70.8134379,19.0422009 71.4952754,15.9496706 71.8361941,14.24513 C72.4936815,11.0064904 70.7160376,8.74188037 66.1867116,8.74188037 C60.3424108,8.74188037 58.6621673,12.9301906 58.3943076,13.5876603 L62.6314151,13.5876603 Z" id="Shape_14_"></path>
                      <path d="M131.862019,19.5292201 C131.715918,19.8214298 130.814921,21.0876603 128.793759,21.0876603 C125.871617,21.0876603 125.214139,18.6038995 125.28718,17.9464298 C126.845665,17.9464298 135.831275,17.9464298 136.659213,17.9464298 C136.732272,17.6785702 136.975791,16.6558493 136.975791,15.6087696 C136.975791,12.00487 134.540668,8.71753912 129.621714,8.71753912 C125.11673,8.71753912 121.512742,12.4918892 121.512742,16.9967592 C121.512742,21.3311787 124.118324,24.423709 128.745059,24.423709 C134.443259,24.423709 135.977393,19.9675391 136.123494,19.5292289 C135.100738,19.5292201 131.862019,19.5292201 131.862019,19.5292201 Z M129.670406,12.1266204 C132.178587,12.1266204 133.128284,13.6607105 133.030884,14.8782408 C131.594159,14.8782408 127.308342,14.8782408 125.84725,14.8782408 C126.042068,14.0990295 127.235283,12.1266204 129.670406,12.1266204 Z" id="Shape_15_"></path>
                      <path d="M171.979978,19.5027334 C173.12535,19.5027334 174.087452,20.4108465 174.087452,21.6216668 C174.087452,22.8557689 173.10243,23.7406002 171.979978,23.7406002 C170.834615,23.7406002 169.849603,22.8324871 169.849603,21.6216668 C169.849603,20.4108465 170.834615,19.5027334 171.979978,19.5027334 Z M171.979978,19.8520043 C171.017877,19.8520043 170.26193,20.620409 170.26193,21.6216668 C170.26193,22.6462064 171.017877,23.4146111 171.979978,23.4146111 C172.942098,23.4146111 173.675125,22.6694882 173.675125,21.6216668 C173.675125,20.620409 172.919178,19.8520043 171.979978,19.8520043 Z M171.52183,22.8557689 L171.155316,22.8557689 L171.155316,20.4108465 L172.071613,20.4108465 C172.644299,20.4108465 172.919178,20.620409 172.919178,21.109397 C172.919178,21.5518126 172.644299,21.7380934 172.277768,21.7846569 L172.964991,22.8557689 L172.552655,22.8557689 L171.911246,21.7846569 L171.49891,21.7846569 L171.49891,22.8557689 L171.52183,22.8557689 Z M171.521821,21.4819585 L171.957076,21.4819585 C172.415225,21.4819585 172.552664,21.3422501 172.552664,21.0861152 C172.552664,20.8532621 172.438127,20.7135538 172.025792,20.7135538 L171.521821,20.7135538 L171.521821,21.4819585 L171.521821,21.4819585 Z" id="Shape_16_"></path>
                  </g>
              </g>
          </g>
      </svg>
      </a>
      <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation">
        <span class="navbar-toggler-icon"></span>
      </button>
      <div class="collapse navbar-collapse" id="navbarNav">
        <ul class="navbar-nav">
          <li class="nav-item">
            <a class="nav-link" href="https://blogs.blackberry.com/en/category/cybersecurity">Cybersecurity</a>
          </li>
          <li class="nav-item">
            <a class="nav-link" href="https://blogs.blackberry.com/en/category/automotive">Automotive & IOT</a>
          </li>
          <li class="nav-item">
            <a class="nav-link" href="https://blogs.blackberry.com/en/category/critical-event-management">Critical Communications</a>
          </li>
          <li class="nav-item">
            <a class="nav-link" href="https://blogs.blackberry.com/en/category/blackberry-news">Inside BlackBerry</a>
          </li>
        </ul>
  
  
        <ul class="navbar-nav ml-auto">
          <li class="nav-item">
            
            <a class="nav-link open-search-btn" role="button">
              <svg aria-hidden="true" data-prefix="fa" data-icon="search" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" data-fa-i2svg="">
                <path fill="currentColor" d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
                </path>
              </svg>
            </a>
            <div id="searchOverlay" class="search-overlay">
              <span class="close-search-btn" title="Close Search">×</span>
              <div class="overlay-content">
                <form id="search-form">
                  <input id="search-form--input" description="Search" data-search-url="https://blogs.blackberry.com/en/search" type="text" placeholder="Search" name="search"/>
                  <button type="submit">
                    <svg aria-hidden="true" data-prefix="fa" data-icon="search" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" data-fa-i2svg="">
                      <path fill="currentColor" d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
                      </path>
                    </svg>
                  </button>
                </form>
              </div>
            </div>
          </li>
        </ul>
      </div>
    </div>
  </nav>



<!-- END DO NOT INDEX -->



<!-- END DO NOT INDEX -->

    
    
    <div class="hero">

      <div class="jumbotron mastheadDefault">
        <div class="hero-container narrower" style="background-image: url( \2f content\2f dam\2f blackberry-com\2fImages\2fsupport\2f bgs\2f bnr-blue-gradient-crop.jpg)">
          
          <div class="mask  "></div>

          <div class="container headings  l-align">
            <div class="col-lg-12">
          		




    
    
    <div class="blog-name-title">

  <div class="cmp-title ">
  
  
   <!-- <span class="highlighted-text-title blogs">INSIDE</span>
   <span class="normal-text-title">BlackBerry Blog</span> -->
   <span class="normal-text-title">BlackBerry Blog</span>
  
  
  
</div>
</div>



          	</div>
          </div>
      </div>
    </div>
</div>



</header><main>
    




    
    
    <div class="section">
  <section class="section     ">
    
    <div class="container">
        




    
    
    
<ol class="breadcrumb">
    <li class="breadcrumb-item ">
        <a href="/en.html">BlackBerry Blog</a>
    </li>

    <li class="breadcrumb-item active">
        The Curious Case of “Monti” Ransomware: A Real-World Doppelganger
    </li>
</ol>

    


      
    </div>
  </section>
    

</div>


    
    
    <div class="blogsection">
    <section class="section     ">
      
      <div class="container sectionPadding py-0">
           
      <div class="col-md-9 col-lg-9 col-sm-12">
          




    
    
    <div class="cmp cmp-title blog-title row">
  

<div class="col-md-12 col-lg-12 col-sm-12">
<h1>The Curious Case of “Monti” Ransomware: A Real-World Doppelganger</h1>
</div>



    
</div>


    
    
    <div class="categorydateauthor"><!--Pulling author bio from author page-->
<div class="categorydateauthor">
<span><a title="RESEARCH &amp; INTELLIGENCE" href="/en/category/research-and-intelligence">RESEARCH &amp; INTELLIGENCE</a> / </span><span class='publish-date'></span>09.07.22 / </span>

    <span class="author"><a href="/en/author/anuj-soni">Anuj Soni</a>, <a href="/en/author/ryan-chapman">Ryan Chapman</a></span>

</div></div>


    
    
    <div class="socialsharing">

<div class='socialSharing row'>
  <ul class='socialSharing-icons'>
    <li>
        <a href='https://twitter.com/intent/tweet?url=https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger&text=&via=BlackBerry' title="Share on Twitter" target="_blank" class="twitter-share">
        <span class='sr-only sr-only-focusable'>Share on Twitter</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--tw' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg>
        </span>
      </a>
    </li>    
    <li>
      <a href='https://www.facebook.com/sharer/sharer.php?u=https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger' title="Share on FaceBook" target="_blank" class="facebook-share">
        <span class='sr-only sr-only-focusable'>Share on Facebook</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--fb' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 264 512"><path d="M76.7 512V283H0v-91h76.7v-71.7C76.7 42.4 124.3 0 193.8 0c33.3 0 61.9 2.5 70.2 3.6V85h-48.2c-37.8 0-45.1 18-45.1 44.3V192H256l-11.7 91h-73.6v229"/></svg>
        </span>
      </a>
    </li>
    <li>
      <a href="https://www.linkedin.com/shareArticle?mini=true&url=https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger&title=&summary=&source=blogs.blackberry.com" title="Share on LinkedIn" target="_blank" class="linkedin-share">
        <span class='sr-only sr-only-focusable'>Share on Linked In</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--li' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448.1 512"><path d="M100.3 448H7.4V148.9h92.9V448zM53.8 108.1C24.1 108.1 0 83.5 0 53.8S24.1 0 53.8 0s53.8 24.1 53.8 53.8-24.1 54.3-53.8 54.3zM448 448h-92.7V302.4c0-34.7-.7-79.2-48.3-79.2-48.3 0-55.7 37.7-55.7 76.7V448h-92.8V148.9h89.1v40.8h1.3c12.4-23.5 42.7-48.3 87.9-48.3 94 0 111.3 61.9 111.3 142.3V448h-.1z"/></svg>
        </span>
      </a>
    </li>
    <li>
      <a href="mailto:?subject=&body=https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger" title="Email" class="email-share">
        <span class='sr-only sr-only-focusable'>Email</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--li' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M502.3 190.8c3.9-3.1 9.7-.2 9.7 4.7V400c0 26.5-21.5 48-48 48H48c-26.5 0-48-21.5-48-48V195.6c0-5 5.7-7.8 9.7-4.7 22.4 17.4 52.1 39.5 154.1 113.6 21.1 15.4 56.7 47.8 92.2 47.6 35.7.3 72-32.8 92.3-47.6 102-74.1 131.6-96.3 154-113.7zM256 320c23.2.4 56.6-29.2 73.4-41.4 132.7-96.3 142.8-104.7 173.4-128.7 5.8-4.5 9.2-11.5 9.2-18.9v-19c0-26.5-21.5-48-48-48H48C21.5 64 0 85.5 0 112v19c0 7.4 3.4 14.3 9.2 18.9 30.6 23.9 40.7 32.4 173.4 128.7 16.8 12.2 50.2 41.8 73.4 41.4z"/></svg>
        </span>
      </a>
    </li>    
  </ul>
</div>
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_1451497176.coreimg{.width}.png/1663290691265/monti-article-875x530.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-article-875x530.png" data-asset-id="c3611c34-bcd1-4909-9a15-0d6ade2788c1" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-article-875x530.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p>A ransomware victim called in the BlackBerry Incident Response (IR) team during this year's 4th of July holiday weekend. We quickly realized we were investigating an attack by a previously unknown group, calling themselves &quot;MONTI.&quot; They encrypted nearly 20 user hosts along with a multi-host VMware ESXi cluster that brought down over 20 servers.</p>
<p>Threat research shows that the only credible reference of the “Monti” ransomware group prior to today was a tweet from security researchers at <a href="https://twitter.com/malwrhunterteam?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor" target="_blank">MalwareHunterTeam</a>, posted on June 30, 2022. The Twitter post mentioned the possibility that Monti ransomware may have had “5-10 victims in the past months,” though no data is publicly available on these victims.</p>
<p>Most Indicators of Compromise (IOCs) identified by the BlackBerry IR team in the Monti attack were also seen in previous <a href="https://blogs.blackberry.com/en/2021/05/threat-thursday-conti-ransoms-over-400-organizations-worldwide" target="_blank">Conti</a> ransomware cases — except one: Monti threat actors leveraged the Action1 Remote Monitoring and Maintenance (RMM) agent.</p>
<p>This article provides a general overview of the incident, denotes the unique characteristics of this “new” threat actor group, and includes malware analysis of the payload used. We also include a breakdown of “Veeamp,” a password stealer malware targeting the <a href="https://www.veeam.com/" target="_blank">Veeam</a> data backup application, which was identified during the incident.</p>
<h3><b>Operating System</b></h3>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_1617528847.coreimg{.width}.png/1663290691288/monti-table001.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-table001.png" data-asset-id="ed433a08-64ff-42bb-94c5-171df3d6b866" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-table001.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <h3><b>Risk &amp; Impact</b></h3>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_444184585.coreimg{.width}.png/1663290691312/monti-table002.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-table002.png" data-asset-id="461c9d5d-fd00-4cb3-bbb0-8ab52381a705" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-table002.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <h3><b>Monti Ransomware Incident Overview<i><br>
</i></b></h3>
<p>On July 5, 2022, a client engaged the BlackBerry® Security Services Incident Response team to perform a forensic investigation and respond to a ransomware-related security incident. The security incident occurred when a threat actor group calling itself “MONTI” obtained access to the client’s environment.</p>
<p>The threat actor apparently intruded via an exploitation of the well-known “<a href="https://blogs.blackberry.com/en/2022/01/log4u-shell4me" target="_blank">Log4Shell</a>” vulnerability (a.k.a. <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228" target="_blank">CVE-2021-44228</a>) in the client’s internet-facing VMware Horizon virtualization system. At the time the BlackBerry team was engaged, the operators had already initially encrypted 18 user desktops. They also encrypted a three-server ESXi cluster that resulted in 21 virtualized servers being impacted. Figure 1 provides an overview of the incident.</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_972247027.coreimg{.width}.png/1663290691335/monti-fig01.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig01.png" data-asset-id="352b4fd5-5879-44b3-a6fc-9a8c5c0a9df0" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig01.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 1 - Overview of the “MONTI strain” ransomware incident</i></p>
<p>The threat actor initially obtained access to the client’s VMware Horizon Connection Broker server via Log4Shell exploitation on June 29, 2022. After entering the client’s environment, it installed the Google Chrome™ browser and used it to download attack tools to the server.</p>
<p>The threat actor also downloaded and installed two remote monitoring and maintenance (RMM) agents, AnyDesk and Action1, which we’ll describe in more detail later. It used these agents to establish persistence within the network and to facilitate additional remote access.</p>
<p>The attackers also used tooling they’d brought into the environment to dump credentials from memory and scan the network. They used Microsoft® Windows® built-in Remote Desktop Protocol (RDP) to connect to other servers, access data files on network shares, and eventually to deploy the “MONTI” strain of ransomware. The goal of this activity was to encrypt multiple hosts within the network (including Veeam<a href="https://www.veeam.com/"></a>-based backups).<b></b></p>
<h3><b>Meet the Mysterious Monti Ransomware Group</b></h3>
<p>The threat group referring to itself as “MONTI” is little-known within the threat intelligence community. The limited evidence we discovered regarding this threat actor indicates they emerged between May and June 2022.</p>
<p>Based on analysis conducted in this investigation, BlackBerry researchers believe that the Monti group has purposefully (and brazenly) mimicked the better-known &quot;Conti&quot; team's tactics, techniques, and procedures (TTPs), along with many of its tools and its ransomware encryptor payload.</p>
<p>It seems likely that attackers chose this blatant emulation strategy because of the availability of Conti group’s internal communications, chat logs, training guides, real-world identities, and source code — all of which were publicly leaked on the internet starting in February 2022. Having access to this trove of information effectively gave Monti threat actors a step-by-step guide to emulating Conti’s notoriously successful activities.</p>
<p>As a response to the data leak, the Conti group went into hiding. Currently, the original Conti ransomware operations group is believed to have dispersed and is no longer in business.</p>
<p>At the time of writing this report, public internet and darknet research revealed only a single mention of the Monti ransomware crew, in the form of a Twitter post from the account “MalwareHunterTeam” (@malwrhunterteam). This tweet, shown in Figure 2, includes a screenshot of the “MONTI strain” ransomware note, and alludes to possible re-use of the Conti codebase.</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_1597094375.coreimg{.width}.png/1663290691358/monti-fig02.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig02.png" data-asset-id="19346d23-8957-4759-80ca-a70bd99cd9f2" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig02.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 2 - A tweet from June 30, 2022, discussing “MONTI strain” of ransomware</i></p>
<p>Because a mountain of analysis already exists to explain Conti ransomware operations, we will focus on what makes the Monti group unique, and what you can expect when a “doppelganger” group such as this spins up operations.</p>
<h3><b>Unique Characteristics of Monti Ransomware</b></h3>
<p>The ransom note left by the threat actor is taken directly from previously seen Conti notes, with two minor changes:</p>
<ul>
<li>The beginning of the note mentions “MONTI” as opposed to “CONTI.” (The remainder of this sentence is Conti’s verbiage, including the instruction to “Google it”: “All of your files are currently encrypted by <b>MONTI </b>strain. If you don't know who we are - just ‘Google it.’”)</li>
<li>The TOR-based (.onion domain) URL provided for contacting the Monti group is unique.</li>
</ul>
<p>As of July 5, 2022, the .onion domain provided for contacting Monti was unavailable. BlackBerry researchers were unable to find any indication that the domain was ever accessible. Public and darknet research, along with communications with fellow incident response firms, did not reveal any confirmation that the domain was up and running at any time.</p>
<p>Given the lack of evidence from other Monti cases, we might never know if the domain was ever accessible. If this is the case, the Monti group might have never been able to collect a ransom. (Should any researcher reading this article have information on a Monti domain/URL being accessible, we would love to hear from you.)</p>
<p>In addition to changes in the ransom note, the threat actor leveraged a commercial, cloud-based RMM platform called <a href="https://www.action1.com/about-us/" target="_blank">Action1</a>, which has not previously been used in a ransomware attack. Ransomware actors, including Conti, commonly use commercial RMMs such as AnyDesk during their attacks. In fact, instructions for installation and configuration of the AnyDesk RMM are detailed in the “CobaltStrike MANUALS_V2 Active Directory” attack manual that was leaked from the Conti group in 2021. Figure 3 shows a screenshot from this manual, featuring AnyDesk installation instructions.</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_1406472451.coreimg{.width}.png/1663290691386/monti-fig03.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig03.png" data-asset-id="3c6655bd-a351-4e80-986f-3143014d328f" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig03.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 3 - Example of installation instructions for AnyDesk, as seen in a leaked “CobaltStrike MANUALS_V2 Active Directory” document</i></p>
<p>The names of the Action1 agent executables that threat actors used in the Monti attack matched those used by the RMM product itself. Specifically, the files found within the client environment were labeled “action1_agent.exe” and “action1_remote.exe.”</p>
<p>When ransomware actors change a file’s name, they often do not change the OriginalFileName value. This value is found within the portable executable’s (PE’s) resources. Though alteration of this value is possible, many actors leave these values alone. As such, you can often find a renamed file by querying against the OriginalFileName value via your endpoint detection and response (EDR) tool, or Sysmon, among other tools.</p>
<p>Figure 4 shows the file version information for action1_agent.exe, as seen on VirusTotal.</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_2046007858.coreimg{.width}.png/1663290691402/monti-fig04.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig04.png" data-asset-id="1b64402c-ea04-4976-a3da-812fa128e7ae" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig04.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 4 - action1_agent.exe file version information as seen on VirusTotal</i></p>
<p>An example <a href="https://www.elastic.co/guide/en/kibana/current/lucene-query.html">Lucene-based query</a> for the Elasticsearch search and analytics engine might be [OriginalFileName:&quot;action1_agent.exe&quot;]. (Keep this method in mind, as it is <i>very</i> handy during ransomware investigations.)</p>
<h3><b>Tools Leveraged in the Ransomware Attack</b><br>
</h3>
<p>The attackers used two well-known temporary file transfer websites – dropmefiles.com[.]ua and temp[.]sh – to bring tools into the network and to exfiltrate data. They leveraged the Google Chrome web browser to access these sites and download tools.</p>
<p>The attackers’ choice to use Chrome™ rather than Internet Explorer (IE) may be due to the client’s implementation of Enhanced Security Configuration (ESC), an option that can be enabled on Windows servers that prohibits general internet browsing via IE. To bypass the ESC configuration, the attackers used Chrome, allowing them to freely browse web pages.</p>
<p><b>Table 1</b> lists the various tools leveraged by the Monti group.</p>
<table width="663" cellspacing="0" cellpadding="0" border="1">
<tbody><tr><td width="134" valign="top"><p><b>Tool</b></p>
</td>
<td width="117" valign="top"><p><b>Type</b></p>
</td>
<td width="411" valign="top"><p><b>Details</b></p>
</td>
</tr><tr><td width="134" valign="top"><p><b>Action1 RMM</b></p>
</td>
<td width="117" valign="top"><p>RMM</p>
</td>
<td width="411" valign="top"><p>- Commercial Remote Monitoring &amp; Maintenance agent.<br>
 - Used by TAs to provide remote access to a victim network.</p>
</td>
</tr><tr><td width="134" valign="top"><p><b>AnyDesk RMM</b></p>
</td>
<td width="117" valign="top"><p>RMM</p>
</td>
<td width="411" valign="top"><p>- Commercial Remote Monitoring &amp; Maintenance agent.<br>
- Used by TAs to provide remote access to a victim network.</p>
</td>
</tr><tr><td width="134" valign="top"><p><b>Avast Anti-rootkit driver</b></p>
</td>
<td width="117" valign="top"><p>Bypass Tool</p>
</td>
<td width="411" valign="top"><p>- Avast's Anti-rootkit library is useful for removing rootkits.<br>
 - Used by threat actors to remove endpoint security products such as antivirus (AV)/endpoint protection platforms (EPPs)/ endpoint protection and response (EDR), etc.</p>
</td>
</tr><tr><td width="134" valign="top"><p><b>GMER</b></p>
</td>
<td width="117" valign="top"><p>Bypass Tool</p>
</td>
<td width="411" valign="top"><p>- Rootkit detector and remover<br>
- Used by threat actors to remove endpoint security products such as AV/EPP/EDR, etc.</p>
</td>
</tr><tr><td width="134" valign="top"><p><b>MEGASync</b></p>
</td>
<td width="117" valign="top"><p>Data Theft</p>
</td>
<td width="411" valign="top"><p>- MEGA.io’s proprietary file synchronization agent.<br>
 - Used by TAs to exfiltrate data from victim networks to cloud storage provider MEGA</p>
</td>
</tr><tr><td width="134" valign="top"><p><b>Mimikatz</b></p>
</td>
<td width="117" valign="top"><p>Credential Theft</p>
</td>
<td width="411" valign="top"><p>- Free and open-source tool used to dump credentials, perform pass-the-hash/token attacks in networks, and generally obtain access to legitimate credentials</p>
</td>
</tr><tr><td width="134" valign="top"><p><b>netscan<br>
 netscan64</b></p>
</td>
<td width="117" valign="top"><p>Network Scanner</p>
</td>
<td width="411" valign="top"><p>- SoftPerfect Network Scanner tool<br>
 - Used by threat actors to scan internal networks to identify sources for lateral movement</p>
</td>
</tr><tr><td width="134" valign="top"><p><b>PSEXEC</b></p>
</td>
<td width="117" valign="top"><p>Lateral Movement</p>
</td>
<td width="411" valign="top"><p>- Microsoft &quot;SysInternal&quot; suite utility designed for administrators to run commands on remote systems and/or copy files to remote machines<br>
- Commonly used by threat actors to run processes remotely and to facilitate lateral movement</p>
</td>
</tr><tr><td width="134" valign="top"><p><b>PuTTY</b></p>
</td>
<td width="117" valign="top"><p>Data Theft</p>
</td>
<td width="411" valign="top"><p>- Data transfer tool commonly used by network administrators<br>
 - Used by threat actors to exfiltrate data from victim networks</p>
</td>
</tr><tr><td width="134" valign="top"><p><b>Veeam-Get-Creds</b></p>
</td>
<td width="117" valign="top"><p>Credential Theft</p>
</td>
<td width="411" valign="top"><p>- Open-source PowerShell script designed to dump credentials from Veeam backup software<br>
- See <a href="https://github.com/sadshade/veeam-creds" target="_blank">https://github.com/sadshade/veeam-creds</a> </p>
</td>
</tr><tr><td width="134" valign="top"><p><b>Veeamp</b></p>
</td>
<td width="117" valign="top"><p>Credential Theft</p>
</td>
<td width="411" valign="top"><p>- Custom Veeam password dumper written in Microsoft .NET<br>
 - Detailed in the Malware Analysis section found later in this article</p>
</td>
</tr><tr><td width="134" valign="top"><p><b>WinRAR</b></p>
</td>
<td width="117" valign="top"><p>Data Theft</p>
</td>
<td width="411" valign="top"><p>- Commercial data archival tool popularized in the early days of the internet and still used by many entities<br>
- Often used by threat actors to archive data prior to exfiltration</p>
</td>
</tr><tr><td width="134" valign="top"><p><b>WinSCP</b></p>
</td>
<td width="117" valign="top"><p>Data Theft</p>
</td>
<td width="411" valign="top"><p>- Data transfer tool used by network administrators<br>
 - Used by threat actors to exfiltrate data from victim networks</p>
</td>
</tr></tbody></table>
<p><i>Table 1 - Tools used by the Monti threat group</i></p>
<h3><b>Monti Group Data Access and Exfiltration</b></h3>
<p>We reviewed various web browser-related files to analyze attacker access. For example, history and cache files from Internet Explorer, Chrome, and Firefox browsers revealed files potentially accessed by attackers. BlackBerry researchers uncovered more than 250 URLs indicating systems and files the threat group likely accessed.</p>
<p>Using the forensic data available on the client’s system, we were able to identify a single instance of data exfiltration. The attacker dumped the process memory of the Local Security Authority Server Service (LSASS) on the Horizon Connection Broker server, to a file named “lsass.DMP.”</p>
<p>This filename (specifically with the uppercase file suffix) is the default name given to files created from memory dumps of the LSASS process, when using Windows Task Manager. While attackers can change this filename, when this default name is used, this gives a hint at the provenance of the file.</p>
<p>The memory pages allocated to the LSASS process include credentials stored in memory that Windows uses for various authentication and authorization procedures. As such, someone who dumps the memory for this process can recover plaintext credentials by using a tool such as Mimikatz to process the memory dump. Mimikatz can also use this file to facilitate <a href="https://blog.netwrix.com/2021/11/30/passing-the-hash-with-mimikatz/" target="_blank">Pass-the-Hash</a> and similar attacks.</p>
<p>During data access analysis, BlackBerry researchers found that the threat actor accessed a URL associated with the DropMeFiles file-sharing website. Ransomware operators like this site because it offers temporary and anonymous file-sharing services. We visited the identified URL and confirmed that the attackers uploaded the dumped lsass.DMP file to the DropMeFiles site. Though users of this service can delete files at will, the threat actor neglected to do so. Thus, BlackBerry was able to obtain and review the exfiltrated memory dump.</p>
<p>Figure 5 is a screenshot of the DropMeFiles site showing the lsass.DMP file that the threat actor exfiltrated from the client’s Horizon Connection Broker server.</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_34007611.coreimg{.width}.png/1663290691418/monti-fig05.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig05.png" data-asset-id="fc084eb4-8c12-4777-9f34-f3f2b207b65a" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig05.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 5 - Screenshot showing lsass.DMP exfiltration via DropMeFiles</i></p>
<h3><b>Using Code Analysis to Your Advantage</b><br>
</h3>
<p>Before we get into Monti’s reuse of Conti’s encryptor code, we want to point out a helpful trick that was made possible due to our awareness of that code re-use.</p>
<p>Because we were familiar with Conti v2 and v3 encryptor payloads, the BlackBerry IR team knew that Conti encryptor payloads do not always encrypt the entirety of each file. Source code analysis shows us that to determine which encryption methods to use, Conti payloads use a combination of a file’s location (on the disk or network), type (based on file suffix), and size.</p>
<p>For example, available ENCRYPT_MODES available in Conti v2 payloads include HEADER_ENCRYPT, PARTLY_ENCRYPT, and FULL_ENCRYPT. The PARTLY_ENCRYPT mode can be accompanied by a value of 20 or 50, indicating the percentage of the file that should be encrypted.</p>
<p>Researchers Luigi Martire, Carmelo Ragusa, and Luca Mella, from the cybersecurity company Yoroi, wrote a fantastic article named “<a href="https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/" target="_blank">Conti Ransomware Source Code: A Well-designed COTS Ransomware</a>,” which provides insight into the code segments that help drive these encryption decisions. In the article, you will find examples of code segments such as the one shown in Figure 6, which details encryption mode selection based on file size.</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_1454392430.coreimg{.width}.png/1663290691434/monti-fig06.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig06.png" data-asset-id="6c81365b-3add-4249-b9a5-a31efe5c2cc2" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig06.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 6 - Screenshot from Martire, Ragusa, and Mella’s 2022 article that shows encryption mode selection based on file size</i></p>
<p>This knowledge allowed the BlackBerry IR team to extract full, unencrypted strings from encrypted log files.</p>
<p>The following command uses a simple grep query to identify the string “2022-0,” which was found at the beginning of each line in the VMware Horizon Debug logs. Notice that even though the log file included in the command below was encrypted, the command yielded over 137,000 lines of unencrypted log events.</p>
<table cellspacing="0" cellpadding="0" border="1">
<tbody><tr><td width="623" valign="top"><i>$ strings debug-2022-06-30-094202.txt.PUUUK | grep -i '2022-0' | wc -l<br>
 <br>
 &nbsp; 137420</i></td>
</tr></tbody></table>
<p><br>
This same methodology can be adapted to many other file types. Text (.txt) and general log files are obviously the best use case.</p>
<p>This isn’t just applicable to Monti or Conti. Many different ransomware encryptors use a similar process of selecting portions of each file to encrypt.</p>
<p><b>This possibility of decryption is just one of the many reasons why we recommend that ransomware victims back up files encrypted in these attacks. Yes, you read that right: the <i>encrypted</i> files.</b></p>
<p>Even if your encrypted files can’t be decrypted in <i>this </i>way, sometimes researchers are able to discover decryption methods that can be offered in stand-alone tools, and ransomware operations groups occasionally release their decryption keys. In any case, encrypted data that has been saved can be revisited and potentially decrypted at a later date.</p>
<h2>Monti Technical Analysis</h2>
<h3><b>Ransomware Behavior</b></h3>
<p>The ransomware payload associated with this incident is a 32-bit Windows executable named “locker.exe.” At the time of writing this report, the malware is not publicly available. The threat actor downloaded this payload from temp[.]sh via the Chrome browser.</p>
<p>Upon execution, the malware encrypts files on disk, adds a “.PUUUK” extension to affected files’ names, and produces the following ransom note: &nbsp;</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_398896256.coreimg{.width}.png/1663290691450/monti-fig6b.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig6b.png" data-asset-id="9ebac8d9-997c-4476-b3ea-6a4707e7b45f" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig6b.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 6a - Monti ransom note</i></p>
<p>This ransom note is almost identical to the notes produced by some Conti ransomware variants, except it references a “MONTI strain” instead of a “CONTI strain.”</p>
<h3><b>Evaluating the Relationship Between Conti and Monti</b></h3>
<p>In light of the Conti leaks that occurred in February and March 2022, we decided to explore any connections between the executable we identified, publicly available Conti payloads, and the leaked source code.</p>
<p>Brief static analysis determined that our sample’s file name, file size, compile time, import table hash, and most section hashes (with the exception of the .data section) match the corresponding characteristics of the locker.exe <a href="https://www.virustotal.com/gui/file/e1b147aa2efa6849743f570a3aca8390faf4b90aed490a5682816dd9ef10e473" target="_blank">executable</a> included in the <a href="https://www.virustotal.com/gui/file/4f1600295371e629aea746047ceab3a644f978023e11154dec9ad872597d9d7c" target="_blank">Conti v3 code leaks</a>. These observations provided strong evidence that the executable we found is, in fact, a Conti v3 payload.</p>
<p>Further analysis of the leaked Conti executable revealed that, although the code within it was identical to the sample we discovered, execution of the Conti payload did not actually result in any file encryption.</p>
<p>A review of the leaked locker.exe’s .data section provided insight into the nature of this executable, as seen in Figure 7.</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_539710541.coreimg{.width}.png/1663290691466/monti-fig07.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig07.png" data-asset-id="2d22becc-58f5-4af3-aeca-1ab71c594a03" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig07.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 7 - Strings within the leaked locker.exe Conti v3 payload</i></p>
<p>The presence of the strings __DECRYPT_NOTE__, .EXTEN, and __publickey__ suggested that this file was intended as a template for a ransomware builder to generate functional payloads.</p>
<p>Although the Conti v3 leak did not include the compiled ransomware builder or its source, the Conti v2 leak did include the ransomware builder executable. Analysis of this executable confirmed that it was responsible for replacing the placeholder text mentioned above with actual values.</p>
<p>The decompiler excerpt in Figure 8 shows code within the Conti v2 builder that locates the text placeholders and replaces them with a generated RSA public key, RSA private key (for inclusion in the decryptor only) and ransom note text, respectively.</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_1956234341.coreimg{.width}.png/1663290691482/monti-fig08.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig08.png" data-asset-id="96c8e20f-21dc-40e4-8fcd-4f124cd1b35a" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig08.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 8 - Conti v2 builder decompiled code excerpt</i></p>
<h3><b>More Clues in the Timestamps</b></h3>
<p>After determining the origin of the payload file, we explored how the payload we found was likely generated. The attacker could have compiled the leaked v3 source as the first step to produce their payload. However, we suspect they took a different approach, because the compile time of the ransomware payload we found matches the compile time of the leaked Conti v3 locker.exe: Tue Jan 12 19:20:18 2021 UTC.</p>
<p>If the source code had been recompiled, this embedded timestamp would be more recent. This timestamp is consistent with others embedded in each executable. It also aligns with the time period when other Conti samples with the same import table hash (imphash - 5036747C069C42A5E12C38D94DB67FAD) were first submitted to VirusTotal. These observations suggest the timestamp was not manually stomped.</p>
<p>If the attacker did not recompile the available source code, we considered the possibility that they had access to a Conti v3 builder to generate the payload. Since we do not have access to a Conti v3 builder, we performed testing with the leaked v2 builder.</p>
<p>We built multiple payloads across a period of time and found that they all had the same, older compile time of Tue Sep 15 20:17:05 2020 UTC. While this timestamp differed from our sample and the leaked executable, it confirmed the possibility that the Conti v3 builder might also generate payloads with a consistent compile timestamp.</p>
<p>It might seem odd for a builder to maintain an old timestamp, but there is precedent for this approach. The <a href="https://www.virustotal.com/gui/file/82e560a078cd7bb4472d5af832a04c4bc8f1001bac97b1574efe9863d3f66550" target="_blank">Babuk ransomware builder</a>, leaked in June 2021, produces executables with the same compile time, regardless of when the payload is built. In contrast, the <a href="https://www.virustotal.com/gui/file/f9a5a72ead096594c5d59abe706e3716f6000c3b4ebd7690f2eb114a37d1a7db" target="_blank">Yashma ransomware builder</a>, leaked in May 2022, generates executables that match the time the build was created. (See our earlier blog posts for more information on <a href="https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree" target="_blank">Yashma</a> and <a href="https://blogs.blackberry.com/en/2021/12/threat-thursday-babuk-ransomware-shifts-attack-methods-to-double-extortion" target="_blank">Babuk</a>.)</p>
<h3><b>Is Monti Made With Manual Modification?</b></h3>
<p>While the discussion thus far might suggest that the Monti attackers used a non-public Conti v3 builder, there is also reason to believe this was not the case. Instead, the attacker might have manually modified (e.g., using a hex editor) the leaked Conti v3 locker.exe executable. To explain this theory, some additional background is required.</p>
<p>One difference between Conti v2 and v3 payloads is the format of the embedded ransom note. In Conti v2 payloads, the ransom note text is stored as plaintext in the .data section of the PE file. In Conti v3 executables, the ransom note is encrypted using the ChaCha8 algorithm.</p>
<p><a href="https://cr.yp.to/chacha.html" target="_blank">D.J. Bernstein</a> created this algorithm and threat actors implemented it in both Conti v2 and v3 to encrypt files. In Conti v3, it’s also used to decrypt the instructions for payment.</p>
<p>Comparing the leaked v2 and v3 encryptor source code confirms that only v3 expects the ransom note to be encrypted. In the leaked Conti v2 search.cpp source file (shown in Figure 9 below), although there are several references to the word “Decrypt,” there is no actual decryption performed before the ransom note is written to disk. </p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_1543652674.coreimg{.width}.png/1663290691498/monti-fig09.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig09.png" data-asset-id="123683ac-4af8-49d3-8970-4d9c868563cb" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig09.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 9 - Conti v2 search.cpp with no ransom note decryption</i></p>
<p>In contrast, the leaked Conti v3 search.cpp source file (shown in Figure 10) includes code to perform ChaCha8 decryption: </p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_1197804026.coreimg{.width}.png/1663290691514/monti-fig10.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig10.png" data-asset-id="17e7197b-d9da-4fc2-b30d-affab08cc0dc" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig10.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 10 - Conti v2 search.cpp with ransom note decryption</i></p>
<p>The ChaCha8 algorithm uses a 32-byte key and an 8-byte nonce. A <i>nonce</i>, or number used once, is similar to an initialization vector (IV). It is incorporated into the algorithm to add randomness, so that using the same key to encrypt the same content produces different ciphertext (i.e., it helps mitigate replay attacks).</p>
<p>The structure of the key, nonce, and encrypted text in a typical <a href="https://www.virustotal.com/gui/file/3d8b6ccfcb742aeaac194c6a245ed08131a14919c4950039bf833c764e6d4f66" target="_blank">Conti v3 payload</a> is shown in Figure 11 below. Only an excerpt of the ciphertext is shown.</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_1781641240.coreimg{.width}.png/1663290691530/monti-fig11.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig11.png" data-asset-id="d4dde735-8227-4ca6-8a0b-0f9eca17ea66" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig11.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 11 - Typical Conti v3 payload with key and nonce</i></p>
<p>Compare the above values with the corresponding bytes in the payload we discovered, shown in Figure 12 below: </p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image_405420496.coreimg{.width}.png/1663290691546/monti-fig12.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig12.png" data-asset-id="4ce9ecd1-045d-4244-b423-7f4f15d218e1" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2022/09/monti-fig12.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><i>Figure 12 - Our payload with anomalous key and nonce values</i></p>
<p>As you can see, both the key and nonce in this payload are zero-byte values. Just as the Conti v2 builder dynamically generates the 4096-bit public RSA key before embedding it in the payload, we would also expect the ransom note key and nonce values to be generated during the build process.</p>
<p>This suggests that the attacker did not have access to the builder and instead manually inserted a ChaCha8 encrypted ransom note, file extension and RSA public key into the leaked Conti v3 locker.exe executable.</p>
<h3><b>Detecting the Differences</b></h3>
<p>Due to the absence of a key and nonce, we crafted a signature to find samples that reference “MONTI.” In the payload discovered during this incident, the bytes <i>20 19 57 65 03 62 D0 AE F4 D1 68</i> are decrypted to “MONTI strain.”</p>
<p>Searching for these bytes on VirusTotal resulted in three files with the following SHA-256 hashes:</p>
<ul>
<li>b45fe91d2e2340939781d39daf606622e6d0b9ddacd8425cb8e49c56124c1d56</li>
<li>158dcb26239a5db7a0eb67826178f1eaa0852d9d86e59afb86f04e88096a19bc</li>
<li>702099b63cb2384e11f088d6bc33afbd43a4c91848f393581242a6a17f1b30a0</li>
</ul>
<p>All files have a VirusTotal imphash (import hash) value that matches the payload we found. All files were also first submitted to VirusTotal in June 2022, the same month as the incident under investigation.</p>
<p>Among the samples on VirusTotal with the imphash 5036747C069C42A5E12C38D94DB67FAD, we did find <a href="https://www.virustotal.com/gui/file/48b8fbd9401a4ac8fe5239dd532b8502d5692e3450117438b7166f64b015ff6c" target="_blank">one more sample</a> that did not have a ChaCha8 key or nonce. It was first submitted to VirusTotal on 2022-04-26 20:13:02 UTC. However, the ransom note for this payload did not reference “MONTI” (or any “strain”), so the connection with the Monti actor is unclear.</p>
<h3><b>Veeam Credential Dumper</b></h3>
<p>During our investigation, we also found malware named veeamp.exe, with SHA-256 hash <a href="https://www.virustotal.com/gui/file/9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732" target="_blank">9AA1F37517458D635EAE4F9B43CB4770880EA0EE171E7E4AD155BBDEE0CBE732</a>. This file attempts to dump credentials from a SQL database for Veeam backup management software. (The credential dumper is briefly mentioned in <a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue" target="_blank">this Symantec blog</a>.)</p>
<p>Some researchers associate this malware with Yanluowang ransomware. It is important to clarify that this credential dumper might have been used by threat actors that also deployed Yanluowang ransomware, but veeamp.exe is not ransomware, and is only capable of dumping Veeam credentials.</p>
<p>The file is a 32-bit .NET binary. The code employs control-flow flattening, which is an obfuscation technique that makes it more challenging to understand the flow of execution.</p>
<p>When launched, the malware attempts a connection to a SQL database named VeeamBackup. If it cannot connect to the specified database, no further action is taken. However, if a connection is established, the file runs the following command:</p>
<p><i>select [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials]</i></p>
<p>The program then attempts to decrypt any user passwords that are returned by this command.</p>
<p>As discussed in <a href="https://helpcenter.veeam.com/docs/agentforwindows/configurator/encryption.html?ver=50" target="_blank">this Veeam documentation</a>, passwords can be encoded and/or encrypted using several approaches, including simple base64 encoding, or through the use of Microsoft’s <a href="https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata.protect?redirectedfrom=MSDN&amp;view=windowsdesktop-6.0#System_Security_Cryptography_ProtectedData_Protect_System_Byte___System_Byte___System_Security_Cryptography_DataProtectionScope_" target="_blank">ProtectedData</a> class.</p>
<p>The credential dumper uses these approaches to attempt decryption. If it’s successful, it prints to the screen the following information:</p>
<ul>
<li>Username</li>
<li>Encrypted password</li>
<li>Decrypted password</li>
<li>Description for each user in the Credentials table<br>
</li>
</ul>
<p>It prints this information in the following format:</p>
<p><i>user: {0} encrypted pass: {1} decrypted pass: {2} description: {3}</i></p>
<p>The database name, SQL command, and output format string are all encoded in the executable, using a single-byte XOR key that varies for each string.</p>
<p>Two similar Veeam credential dumpers are currently available on VirusTotal (<a href="https://www.virustotal.com/gui/file/78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d" target="_blank">first link</a>, <a href="https://www.virustotal.com/gui/file/df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54" target="_blank">second link</a>). At the time of this writing, both have low detection rates (i.e., 15 detections or less). Both files have similar code to the credential dumper we found, but they are also obfuscated with Eazfuscator.NET.</p>
<h3><b>Conclusion</b><br>
</h3>
<p>While the activity of the Monti group itself seems to have been short lived, there is more we can learn from its copycat techniques. As additional Ransomware-as-a-Service (RaaS) solution builders and source code become leaked, either publicly or privately, we could continue to see these doppelganger-like ransomware groups proliferate.</p>
<p>General familiarity with the TTPs of known groups can help us identify any unique traits of these lookalike crews. The more we can identify these unique traits, the better we will be able to associate known analysis methodologies with these new cases while keeping our eye out for differences.</p>
<h3><b>YARA Rule</b><br>
</h3>
<p>The following YARA rules were authored by the BlackBerry Research &amp; Intelligence Team to catch the threats described in this document:</p>
<table cellspacing="0" cellpadding="0" border="1">
<tbody><tr><td width="623" valign="top"><p>rule monti_ransom {<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; meta:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = &quot;Detects ChaCha8 encrypted 'MONTI Strain' text (using all-zero key and nonce) embedded in ransomware payload&quot;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; author = &quot;BlackBerry Threat Research Team&quot;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; date = &quot;August 15, 2021&quot;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; license = &quot;This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research &amp; Intelligence Team&quot;</p>
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; strings:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $s = {20 19 57 65 03 62 D0 AE F4 D1 68}</p>
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; condition:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; uint16be(0) == 0x4d5a and filesize &lt; 2MB<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and $s<br>
}</p>
<p>rule veeam_dumper {<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; meta:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = &quot;Detects Veeam credential Dumper&quot;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; author = &quot;BlackBerry Threat Research Team&quot;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; date = &quot;August 15, 2021&quot;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; license = &quot;This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research &amp; Intelligence Team&quot;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; strings:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $s1 = &quot;SqlCommand&quot; fullword ascii wide<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $s2 = &quot;SqlConnection&quot; fullword ascii wide<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $s3 = &quot;SqlDataReader&quot; fullword ascii wide<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $s4 = &quot;veeamp.exe&quot; fullword ascii wide<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $s5 = &quot;veeamp.pdb&quot; fullword ascii wide</p>
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; condition:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; uint16be(0) == 0x4d5a and filesize &lt; 60KB<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and 4 of them<br>
}</p>
</td>
</tr></tbody></table>
<p><b>&nbsp;</b></p>
<h3><b>Indicators of Compromise (IoCs)</b></h3>
<p><b>&quot;MONTI” payload SHA-256 hashes:</b></p>
<ol>
<li>b45fe91d2e2340939781d39daf606622e6d0b9ddacd8425cb8e49c56124c1d56</li>
<li>158dcb26239a5db7a0eb67826178f1eaa0852d9d86e59afb86f04e88096a19bc</li>
<li>702099b63cb2384e11f088d6bc33afbd43a4c91848f393581242a6a17f1b30a0</li>
</ol>
<p><b>Veeam Credential Dumper SHA-256 hashes:</b></p>
<ul>
<li>9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732</li>
<li>df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54</li>
<li>78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d</li>
</ul>
<h3><b>References</b></h3>
<p>MalwareHunterTeam. (2022). “Monti strain.” Retrieved from <a href="https://twitter.com/malwrhunterteam/status/1542595315915710465?s=20&amp;t=Y7d3POTgnMSB_JcyEeF5_g" target="_blank">https://twitter.com/malwrhunterteam/status/1542595315915710465?s=20&amp;t=Y7d3POTgnMSB_JcyEeF5_g</a></p>
<p>Martire, Ragusa, &amp; Mella. (2022). “Conti Ransomware Source Code: A Well-designed COTS Ransomware.” Retrieved from <a href="https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/" target="_blank">https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/</a></p>
<h3><b>BlackBerry Assistance</b></h3>
<p>If you’re battling this malware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.</p>
<p><a href="https://www.blackberry.com/us/en/services/incident-response" target="_blank">The BlackBerry Incident Response team</a>&nbsp;is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.</p>
<p>We have a global consulting team standing by to assist you, providing around-the-clock support where required, as well as local assistance. Please contact us here:&nbsp;<a href="https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment" target="_blank">https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment</a></p>
<p><b>Related Reading:</b></p>
<ul>
<li><a href="https://blogs.blackberry.com/en/2021/05/threat-thursday-conti-ransoms-over-400-organizations-worldwide" target="_blank">Threat Thursday: Conti Ransoms Over 400 Organizations Worldwide</a></li>
<li><a href="https://blogs.blackberry.com/en/2022/01/log4u-shell4me" target="_blank">Log4U, Shell4Me: A BlackBerry Guide to the Log4J Vulnerability</a></li>
<li><a href="https://blogs.blackberry.com/en/2021/12/threat-thursday-babuk-ransomware-shifts-attack-methods-to-double-extortion" target="_blank">Babuk Ransomware Shifts Attack Methods to Double Extortion</a></li>
<li><a href="https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree" target="_blank">Yashma Ransomware, Tracing the Chaos Family Tree </a>&nbsp;</li>
</ul>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger/_jcr_content/main/par/sectionblog/par/image.coreimg{.width}.jpeg/1663290691562/cobalt-strike-beacon-1200px-banner.jpeg" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2021/10/cobalt-strike-beacon-1200px-banner.jpg" data-asset-id="2dbf649e-e931-4f8a-9ae8-c265a164265b" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2021/10/cobalt-strike-beacon-1200px-banner.jpg" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="authorblog"><!--Pulling author bio from author page-->

    
    
        
  



<div class="author-info" data-author-name="Anuj Soni" data-author-path="https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger">
  <div class="author-avatar">
    
    <img src="/content/dam/blogs-blackberry-com/images/blogs/authors/anuj-soni-2022-140x140.jpg" class="author-avatar" alt="Anuj Soni"/>				
    
  </div><!-- .author-avatar -->
  <div class="author-description">
      
    
    <h2>About Anuj Soni</h2>
    <p class="author-position"><b>Principal Threat Researcher, BlackBerry</b></p>
<p><a href="https://www.linkedin.com/in/sonianuj/" target="_blank"><b>Anuj Soni</b></a> is a Principal Threat Researcher at BlackBerry, where he performs malware research and reverse engineering. Anuj also brings his problem-solving abilities to his position as a SANS Certified Instructor, which gives him the opportunity to impart his deep technical knowledge and practical skills to students.</p>
<p>As a co-author and instructor for <a href="https://www.sans.org/course/reverse-engineering-malware-malware-analysis-tools-techniques">Reverse-Engineering Malware</a> and instructor for <a href="https://www.sans.org/course/advanced-incident-response-threat-hunting-training">Advanced Digital Forensics and Incident Response</a>, Anuj emphasizes establishing goals for analysis, creating and following a process, and prioritizing tasks. <span style="background-color: transparent;">In addition to </span><a href="https://www.sans.org/instructors/anuj-soni" target="_blank">teaching SANS courses</a><span style="background-color: transparent;">, Anuj frequently presents at industry events such as the U.S. Cyber Crime Conference, SANS DFIR Summit, and the Computer and Enterprise Investigations Conference (CEIC).</span></p>
<p><span style="background-color: transparent;">Anuj holds Bachelor's and Master's degrees from Carnegie Mellon University, and has certifications in GIAC Reverse Engineering Malware (GREM) and as a EnCase Certified Examiner (EnCE) and Certified Information Systems Security Professional (CISSP). </span></p>

  </div><!-- .author-description	-->
</div>
<hr class="author-hr"/>
    
        
  



<div class="author-info" data-author-name="Ryan Chapman" data-author-path="https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger">
  <div class="author-avatar">
    
    <img src="/content/dam/blogs-blackberry-com/images/authors/author-ryan-chapman-140px.png" class="author-avatar" alt="Ryan Chapman"/>				
    
  </div><!-- .author-avatar -->
  <div class="author-description">
      
    
    <h2>About Ryan Chapman</h2>
    <p><a href="https://www.linkedin.com/in/ryanjchapman/"><b>Ryan Chapman</b></a> is Principal Incident Response &amp; Forensics Consultant, BlackBerry.</p>
<p>As an author, instructor, and information security professional with over 18 years’ experience, Ryan runs and works incidents for clients to provide response, assessment, and training in the digital forensics and incident response (DFIR) realm at BlackBerry. His primary case types involve digital forensics investigations (e.g. ransomware cases), compromise assessments, business email compromises, tabletop exercises, and more. Ryan loves the fact that the security industry is an ever-evolving creature.</p>

  </div><!-- .author-description	-->
</div>
<hr class="author-hr"/>
    
</div>


    
    
    <div class="socialsharing">

<div class='socialSharing row'>
  <ul class='socialSharing-icons'>
    <li>
        <a href='https://twitter.com/intent/tweet?url=https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger&text=&via=BlackBerry' title="Share on Twitter" target="_blank" class="twitter-share">
        <span class='sr-only sr-only-focusable'>Share on Twitter</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--tw' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg>
        </span>
      </a>
    </li>    
    <li>
      <a href='https://www.facebook.com/sharer/sharer.php?u=https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger' title="Share on FaceBook" target="_blank" class="facebook-share">
        <span class='sr-only sr-only-focusable'>Share on Facebook</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--fb' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 264 512"><path d="M76.7 512V283H0v-91h76.7v-71.7C76.7 42.4 124.3 0 193.8 0c33.3 0 61.9 2.5 70.2 3.6V85h-48.2c-37.8 0-45.1 18-45.1 44.3V192H256l-11.7 91h-73.6v229"/></svg>
        </span>
      </a>
    </li>
    <li>
      <a href="https://www.linkedin.com/shareArticle?mini=true&url=https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger&title=&summary=&source=blogs.blackberry.com" title="Share on LinkedIn" target="_blank" class="linkedin-share">
        <span class='sr-only sr-only-focusable'>Share on Linked In</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--li' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448.1 512"><path d="M100.3 448H7.4V148.9h92.9V448zM53.8 108.1C24.1 108.1 0 83.5 0 53.8S24.1 0 53.8 0s53.8 24.1 53.8 53.8-24.1 54.3-53.8 54.3zM448 448h-92.7V302.4c0-34.7-.7-79.2-48.3-79.2-48.3 0-55.7 37.7-55.7 76.7V448h-92.8V148.9h89.1v40.8h1.3c12.4-23.5 42.7-48.3 87.9-48.3 94 0 111.3 61.9 111.3 142.3V448h-.1z"/></svg>
        </span>
      </a>
    </li>
    <li>
      <a href="mailto:?subject=&body=https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger" title="Email" class="email-share">
        <span class='sr-only sr-only-focusable'>Email</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--li' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M502.3 190.8c3.9-3.1 9.7-.2 9.7 4.7V400c0 26.5-21.5 48-48 48H48c-26.5 0-48-21.5-48-48V195.6c0-5 5.7-7.8 9.7-4.7 22.4 17.4 52.1 39.5 154.1 113.6 21.1 15.4 56.7 47.8 92.2 47.6 35.7.3 72-32.8 92.3-47.6 102-74.1 131.6-96.3 154-113.7zM256 320c23.2.4 56.6-29.2 73.4-41.4 132.7-96.3 142.8-104.7 173.4-128.7 5.8-4.5 9.2-11.5 9.2-18.9v-19c0-26.5-21.5-48-48-48H48C21.5 64 0 85.5 0 112v19c0 7.4 3.4 14.3 9.2 18.9 30.6 23.9 40.7 32.4 173.4 128.7 16.8 12.2 50.2 41.8 73.4 41.4z"/></svg>
        </span>
      </a>
    </li>    
  </ul>
</div>
</div>


    
    
    <div class="backbutton">
<a href="javascript:history.back()" class="cta cta-primary btn-back-button">Back</a></div>



      </div>
      
          
      </div>
    </section>
      
  
  
</div>



</main>

<!-- BEGIN DO NOT INDEX -->
<footer>
    <div class="container pt-2">
    <nav id='footerNav'>
        <div>
            <div class="row my-4">
                <div class='socialLinks col-lg-4 col-md-4 col-sm-12 pb-3'>
                    <a href='https://www.facebook.com/BlackBerry/' class='socialLink px-3 pl-0' target="_blank" rel="noopener" style="padding-left:0 !important;">
                      <span class='sr-only' aria-label="BlackBerry Facebook Account">Facebook</span>
                      <span class='svgIcon-social fb' aria-hidden="true">
                        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M448 56.7v398.5c0 13.7-11.1 24.7-24.7 24.7H309.1V306.5h58.2l8.7-67.6h-67v-43.2c0-19.6 5.4-32.9 33.5-32.9h35.8v-60.5c-6.2-.8-27.4-2.7-52.2-2.7-51.6 0-87 31.5-87 89.4v49.9h-58.4v67.6h58.4V480H24.7C11.1 480 0 468.9 0 455.3V56.7C0 43.1 11.1 32 24.7 32h398.5c13.7 0 24.8 11.1 24.8 24.7z"/>
                        </svg>
                      </span>
                    </a>
                    <a href='https://twitter.com/blackberry' target="_blank" class='socialLink px-3 ' rel="noopener">
                      <span class='sr-only' aria-label="BlackBerry Twitter Account">Twitter</span>
                      <span class='svgIcon-social tw'>
                        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg>
                      </span>
                    </a>
                    <a href='https://www.youtube.com/user/BlackBerry' target="_blank" class='socialLink px-3' rel="noopener">
                      <span class='sr-only' aria-label="BlackBerry YouTube Account">YouTube</span>
                      <span class='svgIcon-social yt'>
                        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"><path d="M549.655 124.083c-6.281-23.65-24.787-42.276-48.284-48.597C458.781 64 288 64 288 64S117.22 64 74.629 75.486c-23.497 6.322-42.003 24.947-48.284 48.597-11.412 42.867-11.412 132.305-11.412 132.305s0 89.438 11.412 132.305c6.281 23.65 24.787 41.5 48.284 47.821C117.22 448 288 448 288 448s170.78 0 213.371-11.486c23.497-6.321 42.003-24.171 48.284-47.821 11.412-42.867 11.412-132.305 11.412-132.305s0-89.438-11.412-132.305zm-317.51 213.508V175.185l142.739 81.205-142.739 81.201z"/></svg>
                      </span>                      
                    </a>
                    <a href='https://www.instagram.com/blackberry/' target="_blank" class='socialLink youTube px-3' rel="noopener">
                      <span class='sr-only' aria-label="BlackBerry Instagram Account">Instagram</span>
                      <span class='svgIcon-social ig'>
                        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M224.1 141c-63.6 0-114.9 51.3-114.9 114.9s51.3 114.9 114.9 114.9S339 319.5 339 255.9 287.7 141 224.1 141zm0 189.6c-41.1 0-74.7-33.5-74.7-74.7s33.5-74.7 74.7-74.7 74.7 33.5 74.7 74.7-33.6 74.7-74.7 74.7zm146.4-194.3c0 14.9-12 26.8-26.8 26.8-14.9 0-26.8-12-26.8-26.8s12-26.8 26.8-26.8 26.8 12 26.8 26.8zm76.1 27.2c-1.7-35.9-9.9-67.7-36.2-93.9-26.2-26.2-58-34.4-93.9-36.2-37-2.1-147.9-2.1-184.9 0-35.8 1.7-67.6 9.9-93.9 36.1s-34.4 58-36.2 93.9c-2.1 37-2.1 147.9 0 184.9 1.7 35.9 9.9 67.7 36.2 93.9s58 34.4 93.9 36.2c37 2.1 147.9 2.1 184.9 0 35.9-1.7 67.7-9.9 93.9-36.2 26.2-26.2 34.4-58 36.2-93.9 2.1-37 2.1-147.8 0-184.8zM398.8 388c-7.8 19.6-22.9 34.7-42.6 42.6-29.5 11.7-99.5 9-132.1 9s-102.7 2.6-132.1-9c-19.6-7.8-34.7-22.9-42.6-42.6-11.7-29.5-9-99.5-9-132.1s-2.6-102.7 9-132.1c7.8-19.6 22.9-34.7 42.6-42.6 29.5-11.7 99.5-9 132.1-9s102.7-2.6 132.1 9c19.6 7.8 34.7 22.9 42.6 42.6 11.7 29.5 9 99.5 9 132.1s2.7 102.7-9 132.1z"/></svg>
                      </span>                        
                    </a>
                                 
                  </div>
                
<!--                  <div class="col-lg-4  col-md-4 col-sm-12 pb-3" data-sly-test="true">-->
<!--                    <a href="https://www.blackberry.com/us/en/forms/enterprise/contact-us" target="_blank" style="color:black; font-size: 16px;">Contact Us</a>-->
<!--                  </div>-->
<!--                <div class="col-lg-4  col-md-4 col-sm-12 pb-3" data-sly-test="false">-->
<!--                    <a href="https://www.blackberry.com/ja/jp/forms/enterprise/contact-us" target="_blank" style="color:black; font-size: 16px;">Contact Us</a>-->
<!--                </div>-->
<!--                  <div class="col-lg-4  col-md-4 col-sm-12 pb-3" data-sly-test="true">-->
<!--                    <a href="https://www.blackberry.com/us/en/support" target="_blank" style="color: black; font-size: 16px;">Support</a>-->
<!--                  </div>-->
<!--                <div class="col-lg-4  col-md-4 col-sm-12 pb-3" data-sly-test="false">-->
<!--                    <a href="https://www.blackberry.com/ja/jp/support/overview" target="_blank" style="color: black; font-size: 16px;">Support</a>-->
<!--                </div>-->
            </div>
            <hr/>
            <div class='row mt-5'>
               <!--/% <div class='col-xs-12 col-md-3'>
                   
                    <sly data-sly-list.col1="">
                        
                          <a class="footerCollapse" role="button" data-toggle="collapse" href="#collapse1" aria-expanded="false" aria-controls="collapse1">
                          	<h3>
                              <span class='open'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z"/></svg>
                              </span>
                              <span class='closed'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z"/></svg>
                              </span> 
                            </h3>
                          </a>
                          
                        <sly data-sly-list.children="">
                        	<div class="collapse in" id="collapse1">
                            <ul data-sly-list.leveltwo="">
                                <li>
                                    <sly data-sly-use.navLink="Footer">
                                        <sly data-sly-test="">
                                            <a href="" data-sly-attribute.target=""></a>
                                        </sly>
                                        <sly data-sly-test="true">
                                            <a href="" data-sly-attribute.target="" rel="noopener"></a>
                                        </sly>
                                    </sly>
                                </li>
                            </ul>
                            </div>
                        </sly>
                    </sly>
                </div>
%/-->
                <div class='col-xs-12 col-md-4'>
                    <!--Col-2-->
                    
                        <a class="footerCollapse" role="button" data-toggle="collapse" href="#collapse21" aria-expanded="false" aria-controls="collapse21">
                        	<h3>Corporate
                              <span class='open'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z"/></svg>
                              </span>
                              <span class='closed'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z"/></svg>
                              </span>
                            </h3>
                        </a>
                        
                        	<div class="collapse in" id="collapse21">
                            <ul>
                                <li>
                                    
                                        
                                        
                                            <a href="https://www.blackberry.com/us/en/company" rel="noopener" target="_blank">Company</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/company/newsroom" target="_blank">Newsroom</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/company/investors" target="_blank">Investors</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://www.blackberry.com/us/en/company/careers" rel="noopener" target="_blank">Careers</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/company/leadership" target="_blank">Leadership</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/company/corporate-responsibility-at-blackberry" target="_blank">Corporate Responsibility</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://www.blackberry.com/us/en/company/certifications" rel="noopener" target="_blank">Certifications</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://www.blackberry.com/us/en/success-stories" rel="noopener" target="_blank">Customer Success</a>
                                        
                                    
                                </li>
                            </ul>
                            </div>
                        
                    
                </div>

                <div class='col-xs-12 col-md-4'>
                    <!--Col-3-->
                    
                    	<a class="footerCollapse" role="button" data-toggle="collapse" href="#collapse31" aria-expanded="false" aria-controls="collapse31">
                        	<h3>Developers
                              <span class='open'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z"/></svg>
                              </span>
                              <span class='closed'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z"/></svg>
                              </span>
                            </h3>
                        </a>
                        
                        	<div class="collapse in" id="collapse31">
                            <ul>
                                <li>
                                    
                                        
                                        
                                            <a href="https://developers.blackberry.com/" rel="noopener" target="_blank">Enterprise Platform &amp; Apps</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://www.qnx.com/account/login.html?returnaddress=%2Fdownload%2Fgroup.html%3Fprogramid%3D29178" rel="noopener" target="_blank">BlackBerry QNX Developer Network</a>
                                        
                                    
                                </li>
                            </ul>
                            </div>
                        
                    
                    	<a class="footerCollapse" role="button" data-toggle="collapse" href="#collapse32" aria-expanded="false" aria-controls="collapse32">
                        	<h3>Blogs
                              <span class='open'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z"/></svg>
                              </span>
                              <span class='closed'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z"/></svg>
                              </span>
                            </h3>
                        </a>
                        
                        	<div class="collapse in" id="collapse32">
                            <ul>
                                <li>
                                    
                                        
                                        
                                            <a href="https://blogs.blackberry.com/" rel="noopener">BlackBerry ThreatVector Blog</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://devblog.blackberry.com/" rel="noopener" target="_blank">Developers Blog</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://helpblog.blackberry.com/" rel="noopener" target="_blank">Help Blog</a>
                                        
                                    
                                </li>
                            </ul>
                            </div>
                        
                    
                </div>

                <div class='col-xs-12 col-md-4'>
                    <!--Col-4-->
                    
                        <a class="footerCollapse" role="button" data-toggle="collapse" href="#collapse41" aria-expanded="false" aria-controls="collapse41">
                        	<h3>Legal
                              <span class='open'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z"/></svg>
                              </span>
                              <span class='closed'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z"/></svg>
                              </span>
                            </h3>
                        </a>
                        
                        	<div class="collapse in" id="collapse41">
                            <ul>
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/legal" target="_blank">Overview</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/legal/accessibility" target="_blank">Accessibility</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/legal/blackberry-virtual-patent-marking" target="_blank">Patents</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/legal/trademarks" target="_blank">Trademarks</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/legal/privacy-policy" target="_blank">Privacy Policy</a>
                                        
                                        
                                    
                                </li>
                            </ul>
                            </div>
                        
                    
            </div>
            </div>
        </div>
        <div class='container'>
            <div class='row tm10' style="padding-top: 50px">
                <div class='col-xs-12 col-md-6 copyright' copyright>
                    <p>
                        © 2023 BlackBerry Limited. All rights reserved.
                    </p>
                </div>
              
                
            </div>
        </div>

    </nav>
    </div>
</footer>
<!-- END DO NOT INDEX -->
            
    
    
    
    
<script src="/etc.clientlibs/shared/clientlibs/jquery.min.c4de22c2db1dbe5fe0380215f514281f.js"></script>
<script src="/etc.clientlibs/blogs-bbcom/clientlibs/clientlib-dependencies.min.d41d8cd98f00b204e9800998ecf8427e.js"></script>





    
    
<script src="/etc.clientlibs/blogs-bbcom/clientlibs/clientlib-site.min.73c7f2398e5a6c555b74bd2142d6cf33.js"></script>




    

    

    
    
    

            

            
            <script type="text/plain" class="optanon-category-C0002">

  (function () {

    var getParameterByName = function (name, url) {
      if (!url) url = window.location.href;
      name = name.replace(/[\[\]]/g, '\\$&');
      var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'),
        results = regex.exec(url);
      if (!results) return null;
      if (!results[2]) return '';
      return decodeURIComponent(results[2].replace(/\+/g, ' '));
    }
    var getParentAnchor = function (element) {

      while (element !== null && !(element instanceof HTMLDocument)) {
        if (element.tagName.toUpperCase() === "A") {
          return element;
        }
        element = element.parentNode;
      }
      return null;
    };

    if (document.title === '404') {
        _satellite.track("error",
        { "errorType": "404", "pageURL": document.location.href }
      );
    }

    document.addEventListener('click', function (event) {
      var downloadFiles = [".pdf", ".exe", ".zip",".gzip",".gz",".tar",".jar",".bin",".dmg",".tgz",".mp4"];
      var videoSourceFound = "";
      var elem = getParentAnchor(event.target);
      var audioPlayerButton;
      var audioPlayerButtonChild;
      if (elem !== null) {
        var urlSplit = elem.href.split("/");
        if (elem.matches("a.twitter-share") || elem.matches("a.facebook-share") || elem.matches("a.linkedin-share") || elem.matches("a.email-share")) {
            _satellite.track("social_share",
              { "socialName": elem.className.split('-')[0] }
            );
        }
        else if (elem.hasAttribute("data-lity")) {
          var videoSources = { scene7: "s7d2.scene7.com", youtube: ["youtu.be", "youtube.com"], vimeo: "vimeo.com" };
          for (var key in videoSources) {
            if (videoSources.hasOwnProperty(key)) {
              if (Array.isArray(videoSources[key])) {
                videoSources[key].forEach(function (domain, i) {
                  if (elem.href.indexOf(domain) > -1) {
                    videoSourceFound = key;
                  }
                });

              } else {
                if (elem.href.indexOf(videoSources[key]) > -1) {
                  videoSourceFound = key;
                }
              }
            }
          }
          if (videoSourceFound !== "") {
            var linkHref = videoSourceFound === "scene7" ? getParameterByName("asset",elem.href): elem.href;
              _satellite.track("video", {
                "linkHref": linkHref,
                "videoPlatform": videoSourceFound,
                "linkText": elem.text.trim()
              });
          }

        }
        else if (elem.text.toLowerCase().indexOf("subscribe") > -1 || elem.text.toLowerCase().indexOf("register for updates") > -1) {
            _satellite.track("subscribe",
              { "linkText": elem.text.trim() }
            );
        }
        else if (elem.text.toLowerCase().indexOf("contact us") > -1 || elem.text.toLowerCase().indexOf("contact sales") > -1) {
            _satellite.track("contact_us",
              { "linkText": elem.text.trim() }
            );
        }
        else if (!(elem.host.indexOf(window.location.host) > -1) && elem.href !== "" && videoSourceFound == "") {
            _satellite.track("site_exit", {
              "site": elem.hostname
            });
        }

        for (var i = 0; i < downloadFiles.length; i++) {
          if (elem.href.toLowerCase().indexOf(downloadFiles[i]) > -1) {
            var fileName = urlSplit[urlSplit.length - 1];
            console.log('Download clicked');
              _satellite.track("download",
                { "fileName": fileName }
              );
          }
        }
      }
      else {
        //AA Tracking for Audio Player Component - CM 2/9/2022
        if (event.target.matches('.bb-dms7-audio-container-right__top-playpause') || event.target.matches('#playpauseIcon')) { 
          
          var eventType;
          var audioComponent = $('.audio')[0];
          var audioSource = $($(audioComponent).find('#player source')[0]).attr('src');
          var audioTitle = $($(audioComponent).find('.bb-dms7-audio-container-right__top-info__podcast-name')[0]).text();
          var trackTitle = $($(audioComponent).find('.bb-dms7-audio-container-right__top-info__episode-title')[0]).text();

          if (event.target.matches('.bb-dms7-audio-container-right__top-playpause')) {
            if (event.target.childNodes[0].nextElementSibling.matches('.fa-play')) {
              eventType = 'pause';
            }
            else if (event.target.childNodes[0].nextElementSibling.matches('.fa-pause')) {
              eventType = 'play';
            }
          }
          else if (event.target.matches('#playpauseIcon')) {
            if (event.target.matches('.fa-play')) {
              eventType = 'pause';
            }
            else if (event.target.matches('.fa-pause')) {
              eventType = 'play';
            }
          }

          if (typeof _satellite !== 'undefined') {
              _satellite.track("audio", {
                "eventType": eventType,
                "audioTitle": audioTitle,
                "trackTitle": trackTitle,
                "audioSource": audioSource
              });
          }
        }
      }
    }, false);


  })();


</script>



<script>
    function getGclidQueryParameter(p) {
      var match = RegExp('[?&]' + p + '=([^&]*)').exec(window.location.search);
      return match && decodeURIComponent(match[1].replace(/\+/g, ' '));
    }

    function getExpiryRecord(value) {
      var expiryPeriod = 90 * 24 * 60 * 60 * 1000; // 90 day expiry in milliseconds

      var expiryDate = new Date().getTime() + expiryPeriod;
      return {
        value: value,
        expiryDate: expiryDate
      };
    }

    function addGclid() {
      var gclidParam = getGclidQueryParameter('gclid');
      var gclidFormFields = ['gclid_field']; // all possible gclid form field ids here
      var gclidRecord = null;
      var currGclidFormField;

      var gclsrcParam = getGclidQueryParameter('gclsrc');
      var isGclsrcValid = !gclsrcParam || gclsrcParam.indexOf('aw') !== -1;

      gclidFormFields.forEach(function (field) {
        if (document.getElementById(field)) {
          currGclidFormField = document.getElementById(field);
        }
      });

      if (gclidParam && isGclsrcValid) {
        gclidRecord = getExpiryRecord(gclidParam);
        localStorage.setItem('gclid', JSON.stringify(gclidRecord));
      }

      var gclid = gclidRecord || JSON.parse(localStorage.getItem('gclid'));
      var isGclidValid = gclid && new Date().getTime() < gclid.expiryDate;

      if (currGclidFormField && isGclidValid) {
        currGclidFormField.value = gclid.value;
      }
    }

    window.addEventListener('load', addGclid);
  </script>
        
    </body>
</html>
